 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
fmwyso
Advanced Cheater
![]() Reputation: 0
Joined: 10 Oct 2007
Posts: 50
|
 Posted: Tue Oct 19, 2010 4:29 pm Post subject: Packet Decrypting |
 |
|
Hi, I recently figured out a way to listen to packets on a game. Unfortunately, I have no idea how to remove gameguard and I can't find any gameguard mod files for it. So, because of that, I've decided to create my own program seeing as how it instantly shuts down as soon as CEG or WPE is open.
http://www.codeproject.com/KB/winsdk/Sniffer.aspx
Nearly every part of my code is directly from this example... I used his program to detect the messages sent/received by the game and, from what I saw, it only used TCP. Now, I have written the base for my program which simply is able to just tell me every time the game sends/receives a command. It can tell me the ip, ack number, sequence number, and various other information which I believe has little to do with the actual data being sent. Hopefully, I want to be able to actually know exactly what was sent (Such as "use skill 520" or "Move to 500,200,300") etc.
First of all, please tell me if this code is even able to do such a thing as actually grab the data from the packets. I know it can sniff out the ip/etc., but does it also have access to the data that is sent?
1) Are there any guides for finding data in packets? Hopefully highlighting most common placement of values for tcp packets.
2) I know that many games have packet encryption, is there a tutorial on how to find that encryption? After I find the encryption, I'm sure I can google some type of library to decrypt it.
3) After I find the data and decrypt it, is there a tutorial/guide on finding out how they sequence their data? As in, the first 2 bytes are the id, next 2 are the command etc.
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8586
Location: 127.0.0.1
|
| Posted: Tue Oct 19, 2010 4:58 pm Post subject: |
|
|
In most cases for any game that implements any of your questions, the quote "To each their own." fits fairly well. You will almost never find two similar implemented systems between games, (Unless its the same engine/same developer/etc.) which leaves tutorial writing for an 'overall' status fairly hard to do since the methods of finding things will vary.
One common method you can use to find encryption methods would be to locate where send/recv are called from in the game, and trace back the calls and follow the flow of code. In most cases the game will have some method / order of doing something like:
Encryption:
Build Packet -> Encrypt Packet -> Send to Client(s)
Decryption:
Receive Packet -> Decrypt Packet -> Read Packet Header / Handle Packet
Again the order of this can change per-game based on the developers depth with coding and security.
| Quote: | | 1) Are there any guides for finding data in packets? Hopefully highlighting most common placement of values for tcp packets. |
Firstly there is no common placement for data. Data sent to clients from the server is usually structured data based on information requested. For example if you have a structure in the game for say, a monsters information, you could have:
struct MOBDATA {
int ServerId;
int Health;
int Mana;
char* Name; // Max length of 255
};
If the game doesn't alter the structure positions inside packets for security, your data will be in the similar order inside the packet.
For example:
ServerId: 12345
Health: 6950
Mana: 3453
Name: Evil Creature
Your packet may look like this:
| Code: | | 39 30 00 00 1B 26 00 00 7D 0D 00 00 45 76 69 6c 20 43 72 65 61 74 75 72 65 00 |
| Quote: | | 2) I know that many games have packet encryption, is there a tutorial on how to find that encryption? After I find the encryption, I'm sure I can google some type of library to decrypt it. |
See above.
| Quote: | | 3) After I find the data and decrypt it, is there a tutorial/guide on finding out how they sequence their data? As in, the first 2 bytes are the id, next 2 are the command etc. |
You will need to debug the game and find the handlers for each packet. Once you find the handlers you should see them reading parts of the packets based on offsets. You can determine the sizes based on the instructions used to read the data from the packet.
mov eax, [ecx+04] // 4 bytes
mov eax, word ptr [ecx+04] // 2 bytes
mov eax, byte ptr [ecx+04] // 1 byte
And so on. Which again all depends on how the game is coded and if it has any methods for attempting to protect data.
_________________
- Retired. |
|
| Back to top |
|
|
SwaggaJackin'
Master Cheater
 Reputation: 2
Joined: 06 Nov 2009
Posts: 312
|
| Posted: Tue Oct 19, 2010 7:57 pm Post subject: |
|
|
| Have you considered using wireshark? It'd be a great alternative to writing your own packet sniffer.
|
|
| Back to top |
|
|
fmwyso
Advanced Cheater
![]() Reputation: 0
Joined: 10 Oct 2007
Posts: 50
|
| Posted: Tue Oct 19, 2010 8:43 pm Post subject: |
|
|
| SwaggaJackin' wrote: | | Have you considered using wireshark? It'd be a great alternative to writing your own packet sniffer. |
I have considered it, but rejected them pretty fast... At first, I was planning on using WPE to just figure out what parts of the packet are for what things. EX: Look at the packet, and hope that it has some obvious reason for certain parts.
The reason I don't want to use only a packet sniffer is that my purpose is purely for botting not hacking. Mainly because I am doing this so that I don't have to be on the game for hours on end just to get to some fun pvp. As far as I know, packet sniffers don't have enough scripting abilities to actually make a full featured bot.
I read your post wiccaan, and I understand... Thanks for clarifying  .
New question after trying debugging: If my client says "debugger detected" and closes when I try to debug it, does that mean this debugging is impossibly hard or that I just have to figure out what is causing it to notice I am debugging? Any tips on how to get it to stop doing the debugger thing? I have a feeling that, if I get it to go into debugging mode, my C++ debugging experience will kick in and I will have a chance of figuring out where it is decrypting etc. (If that is wrong, please tell me ).
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8586
Location: 127.0.0.1
|
| Posted: Wed Oct 20, 2010 10:08 am Post subject: |
|
|
You just need to find whats causing it to be detected. You can use a debugger such as Ollydbg and get some plugins such as OllyAdvanced to attempt to hide it with some basic methods, or look around for some customized versions of Olly which are fully altered to be hidden from most known detection methods.
Typically a few basic methods are used to detect a debugger:
- Process name, window names.
- IsDebuggerPresent() API
- CheckRemoteDebuggerPresent() API
There are a bunch of different plugins to handle these above methods, there are plenty of other detection methods as well so you may need to do some digging to find exactly what causes it.
If you need to find some tutorials, plugins, and/or info for Olly I'd recommend going to:
http://tuts4you.org
_________________
- Retired. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
